I'm using the DNS Resovler with forwarding enabled and the Quad9 servers. By default (without either DNSSEC or DNS over TLS) this works correctly. My understanding is that Quad9 supports both of these options.

I can enable DNSSEC in the resolver, however, this has mixed results. My clients can seemingly randomly resolve hosts. Most will work, but often I'll get an unresolved name error. A refresh (in browser) or requery (using nslookup) resolves this. It seems to be totally random.

On the other hand, I cannot enable DNS over TLS. When I do, PFSense can still resolve hosts (via the DNS Lookup tool) but clients cannot. This implies to me there's something going on within the resolver.

No errors are showing up in the Resolver logs so it's as if PFSense is just dropping the client requests.

I've attached a few screenshots of relevant settings and would love any thoughts/advice. Thanks!

I bet if you remove 853 from the ports and just use 53 it will work better

I've actually tried disabling those firewall rules all together but with the same results. PFSense definitely resolves upstream over 853, it just stops handling client requests correctly when I enable DNS over TLS.

enanbling dnssec when you forward is pretty pointless.. When you forward you want the end resolver to be doing dnssec, forwarding and asking for dnssec doesn't do anything worth anything.. Since your trusting the forwarder anyway.. They could in theory send you anything they wanted to send you - even the dnssec info, since they control everything you get..

Set quad 9 in your dns, click the use forwarder and tls.. unbound should still be listening on 53!!! So your clients can do normal queries too it.. there is ZERO reason to use tls over your local lan to your NS on pfsense.. Is your LAN hostile?

Hey there, thank you very much for the insights! Here are responses to some of your questions:

Version of PFSense: 2.4.4-RELEASE-p1

I just tried disabling DNSSEC Support while enabling DNS over TLS... rebooted PFSense just for good measure, but still seeing the same result (ie, no clients can resolve DNS through PFSense). I've never enabled TLS for local resolutions but I confirmed that was still off as well.

When attempting to resolve via clients, through nslookup, I'm always receiving either a timeout while connecting to the DNS sever (my PFSense box) or the error:

** server can't find google.com: SERVFAIL

Of interest is that the DNS Resolver status is showing these timeouts as well, even though doing lookups directly via the PFSense DNS Lookup tool do work:

Ok, update with a bit more info. Simplifying this such that the end goal is just DNS over TLS for now (I'll get to DNSSEC later).

So current status: the DNS Resolver doesn't resolve any client queries when DNS over TLS is enabled. PFSense itself can resolve these queries just fine (via the DNS Lookup tool.) No problems at all when DNS over TLS is disabled. Client queries do resolve just find when DNS over TLS is disabled in basic forwarding mode.

I've cleaned up firewall rules to defaults (ie, removed any trying to capture and redirect external DNS requests from clients).

Current config:

PFSense 2.4.4-p1 running on Netgate SG-4860

Upstream DNS: Quad9

DNS Resolver:

Forwarding mode enabled

DNSSEC disabled

Outbound requests on WAN

Internal requests on LAN+Localhost

I've dialed up log verbosity on the DNS Resolver service, but I'm not seeing anything. I can see from the Resolver status that PFSense is successfully connected to the Quad9 servers on port 853. But every client query, from any client, simply fails.

I finally resolved this using the brute force method... I rebuilt the box.

Rather than using a backup I manually recreated my entire config. I had always suspected something had gone wrong with my certificate and cryptographic layer, but was never able to get to the bottom of it. The other symptom I had is that authing over SSH via public key had stopped working as well, while other things, such as HTTPS for the web configurator and my OpenVPN server, still worked correctly. Bizarre.

Coincidence or causation - the one thing I could pinpoint is that the DNS related issues started after installing PFBlockerNG, and unfortunately didn't start working again after I uninstalled it. This all broke some time ago (I think around the initial release of PFSense 2.4) so perhaps there was a bug or incompatibility at the time?

In any case - local DNS caching, DNSSEC, and DNS over TLS all work perfectly now. Sorry this was the resolution if anyone else runs into this :)